►
From YouTube: OpenSSF November Town Hall Meeting (November 15, 2021)
Description
The OpenSSF Community and Staff give a quarterly update on all things OpenSSF!
A
Hello-
everyone
I'm
starting
this
now,
even
though
it's
not
quite
time
yet,
because
I
want
to
make
sure
that
we
eliminate
any
technical
problems.
So
we
will
actually
start
for
real
and
a
little
bit.
B
Thank
you,
let's
see
if
this
all
can
work.
Let's
see,
I
cannot
start
my
video
because
the
host
has
stopped
it.
A
A
A
B
Okay,
well
I'll,
send
some
things
in
on
slack,
then.
B
B
A
B
The
only
singing
I've
done
recently
has
been
to
my
daughter,
while
reading
lord
of
the
rings,
and
trying
to
sing
the
hobbit
and
elf
songs
in
it.
A
Yeah,
I
don't
have
it
right
here,
but
there's
actually
a
whole
book
about
the
lord
music
and
the
lord
of
the
rings.
I
cannot
recommend
it
enough.
It
is
spectacular,
you
know
it
examines
every
motif
and
you
know
how
they
interact
over
time.
You
know
this
is
this.
This
is
that
you
know
the
history
of
the
ring.
Is
this
tune?
This
is
this
and
here's
how
they
interact
here
and
why
they
interact.
It's
just.
A
You
know
it
reminds
me
of
wagnerian,
but
it's
right
now
and
it's
just
really
really
spectacular
stuff.
B
Well,
this
the
six-year-old
would
probably
probably
be
all
into
advanced
linguistic
analysis
and
no,
I
was
gonna
tweet
out,
hey
we've
just
finished
reading
the
you
know
1200
pages
of
the
lord
of
the
rings.
What
what
should
we
read?
Next,
you
know
les
miserables.
B
Exactly
who
should
I
I'm
happy
to
present
slot
from
from
my
slides,
if
that's
appropriate,
yeah.
A
We
would
probably
ought
to
talk
about
who
who's
presenting
what
I
am
happy
to
present
whatever.
I
assume
that
I
was
going
to
start
with
the
the
structure
of
the
various
groups
slide
and
keep
going
and
tell
somebody
it
was
somebody
else's
turn.
B
I
think
from
basically
big
picture
so
far,
we'd
start
with
you
and
then,
if,
if
michael
scovetta
is
online,
he
would
pick
up
alpha
omega
and
then
back
to
you
for
everything
else,
unless
dan
or
or
abhishek
are
able
to
join
and
could
take
on
salsa
and
the
scorecard.
A
Right
right,
so
I
think
maybe
we
should
just
do-
is
look
to
for
kim
or
abashek.
A
Yeah
there's
a
complicate,
I
mean
dan
would
be
a
perfectly
reasonable
person
for
salsa
for
scorecard,
I
would
think
abhishek,
but
obviously
they
don't
only
know.
B
So
michael's
covetous
confirmed
he'll
be
able
to
speak
to
it
and
then
yeah.
We
could
just
be
ad
hoc
with
the
others.
I'm
you
know,
even
though
this
is
a
webinar,
I
want
to
keep
it
feeling
casual.
Does
that
make
sense?
Yeah,
oh
and
I
see
we
already
have
two
folks
amir
and
chris
in
our
attendees
list.
Hi.
B
Oh
no,
they
can't
chat
us,
though
all
right
well
we're
just
getting
getting
set
up
and
and
chatting
about
the
agenda
and
the
like,
so
I'm
probably
going
to
because
I'm
shy
turn
my
camera
off
now,
just
because
I
know
it
works
and
we'll
come
back
on
right
right
at
the
start
of
the
hour.
A
Shyness
is
not
something
I've
been
accused
of
recently,
however,
I
am
properly
caffeinating
with
my
bubbly
caffeine,
so
yeah
chris
chris,
and
we
were
talking
about
lord
of
the
rings
and
the
awesome
music
on
the
awesome
music
score
so
having
nothing
to
do
with
this
particular
webinar.
But
you
know
it's
it's
fun.
I
can
recommend
it.
A
Well,
that's
what
you
were
talking
about.
I
was
actually
talking
about
the
the
music
musical
analysis
of
the
movies.
Oh,
oh,
oh,
okay,.
B
B
A
Yes,
howard
shore,
that's
right.
A
B
Hey
all
we're
still
getting
ready.
I
see
a
few
people
will
promote
to
a
co-host,
so
just
give
us
one.
Second,.
B
Hello:
everyone,
it's
10
a.m:
pacific
we'll
get
started
in
a
few
minutes.
I
just
let
a
few
more
people
trickle
in
and
we'll
get
underway.
Thanks.
B
B
We
try
to
do
these
on
a
on
a
regular
basis,
and
this
is
mainly
intended
for
people
who
are
new
to
the
community
or
considering
joining
the
community,
though
it's
also
a
chance
for
us
to
hear
from
current
community
members
and
just
get
an
update
on
a
couple
of
the
projects
going
on
and
and
hear
from
some
of
the
community
members,
but
also
certainly
have
some
time
for
a
conversation
within
the
community
as
well.
B
So
this
is
intended
to
be
loose,
not
necessarily
you
know,
tightly
polished
and
wired,
but
want
to
hear
from
all
of
you
whether
you've
been
part
of
the
community
for
a
long
time
or
are
brand
new
to
this.
So
please
feel
free
to
engage
as
we
get
going
and
david
I'll
depend
on
you
to
interrupt
me.
If
anything
seems
amiss
as
with
all
linux
foundation
meetings,
we
start
with
the
anti-trust
policy
notice.
B
This
is
just
a
reminder
to
all
of
us
of
why
we're
here
we're
here
to
work
on
open
source
software
and
in
particular,
in
our
case,
improving
the
state
of
open
source
software
and
building
digital
public
goods
is
kind
of
the
new
phrase
catchphrase
I
think,
but
for
a
lot
of
what
we're
doing
here.
But
I,
if
any
of
you
have
any
questions
about
about
this
kind
of
thing,
feel
free
to
consult
the
linux
foundation's
any
choice,
policy
notice
linked
here
or
ask
one
of
us
for
some
more
guidance.
B
This
meeting,
like
all
of
our
meetings,
is
also
conducted
under
the
ages
of
the
linux
foundation's
code
of
conduct.
This
is
one
other
thing
just
to
familiarize
yourself
with.
B
This
is
intended
to
make
this
space
a
professional
space
and
and
one
where
we
should
feel
free
to
be
ourselves
but
be
the
best
side
of
ourselves
as
well
and
and
ensure
a
harassment,
free
experience
for
all
participants
and
just
one
little
bit
of
housekeeping
we'll
try
to
see
if
we
have
a
lot
of
questions
we'll
do
this
through
a
moderated
q,
a
process
and
certainly
we'll
want
to
hear
from
some
other
participants
in
the
community.
B
If
you
do
have
a
question
you
want
to
ask,
it
might
get
lost
in
the
stream
of
conversation
on
chat.
So
if
you
specifically
have
a
specific
question,
please
add
it
to
the
q
a
and
we
will
consult
that
as
we
go
through.
B
We
have
an
agenda.
That'll
take
us,
probably
through
the
first
25-30
minutes
of
the
hour
together
and
then
leave
the
converse
and
then
leave
the
remaining
30
minutes
for
for
q.
A
I'll
give
a
brief.
You
know
welcome
and
an
update
on
just
the
numbers
and
the
commitments
that
we've
received
and
then
hand
the
mic
off
to
david.
B
To
give
us
a
big
picture
of
what
open
ssf
is
trying
to
to
tackle
out
here
and
then
some
updates
on
some
of
the
projects
either
that
have
just
launched
or
are
already
underway
and
and
then
we'll
leave
the
time
open
for
q
a
so
so,
just
as
a
quick
kind
of
blast.
So
last
month
we
announced
the
not
quite
fair
to
call
it
a
relaunch,
because
this
really
is
about
adding
booster
rockets
to
a
a
rocket
ship.
B
That's
already
was
was
well
on
its
way
to
to
interesting
places,
but
on
october
15th
we
announced
that
cubecon,
the
the
the
the
launch
of
new
commitments,
financial
commitments
from
a
set
of
major
organizations,
some
of
whom
had
been
involved
with
openssf
to
date,
some
of
whom
are
brand
new
to
it.
I
we
had
a
lot
of
press
coverage
from
that
and
we
I
I
always
laugh
at
the
stock
photos
that
folks
decide
to
add
to
cyber
security
articles.
So
I
thought
this
one
was
particularly
cute.
B
I
would
have
hoped
they'd
add
a
stuffed
goose
to
it,
given
our
motto
or
given
our
mascot
and
we'll
have
to
find
some
way
to
get
those
plush
gooses
out
to
as
many
places
as
we
can.
I
know
david
has
one
in
his
background.
If
you
can
see
his
video
he's
holding
it
up,
but
but
it
was
really
great
to
get
the
public
awareness
of
the
importance
of
securing
the
software
supply
chain,
which
is
what
we're
all
about
to
see
the
recognition
for
the
hard
work.
B
That's
already
been
done
by
this
community
and
in
projects
that
have
really
kind
of
been
launched
in
the
periphery
and
under
the
aegis
of
of
this,
like
salsa
and
sig,
store
and
and
other
projects
that
are
that
are
coming
up,
that
you
know
we're
still
sorting
out
how
to
better
more
formally
support
at
open,
ssf
so
really
good.
Last
month
and
the
as
as
many
of
you
know,
that
the
model
for
how
we
at
the
linux
foundation
fund
our
efforts
here.
B
Typically,
the
financial
sustainability
model
typically
is
focused
on
memberships,
by
corporations
large
and
small,
who
commit
to
pulling
pulling
together
and
participating
at
a
governance
level
for
their
membership
dues,
but
really
leaving
the
technical
implementation
work
to
the
community,
really
making
sure
that
we're
publicly
engaged
with
anybody
who
has
expertise
and
interest
and
time
the
three
magic
kind
of
things.
B
Hopefully,
you
find
all
three
at
the
same
time,
or
at
least
two
of
them
and
and
make
sure
that
what
we're
doing
is
is
public
facing
and
transparent
and
the
like.
But
it's
really
the
financial
support
of
folks
like
those
in
the
stream
who
are
able
to
really
help
make
this
work.
B
And
I
really
just
want
to
call
out
both
the
the
long-term
commitment
from
the
beginning
from
many
of
the
companies
that
are
listed
here
from
google,
from
microsoft,
from
ibm
and
and
several
of
the
others,
from
red
hat,
of
course,
and
then
many
of
the
new
participants
here
as
well,
aws
and
sneak
and
vmware
and
cisco
and
one
password,
which
is
that
funny.
B
Little
logo
in
the
lower
right
hand
corner
as
well
as
organizations
like
fidelity,
morgan,
stanley
and,
and
you
know,
and
others
who
are
realizing,
that
they
are
major
consumers
of
technology.
You
know
I
found
out.
Last
week,
morgan
stanley
has
12
000
software
developers.
B
How
many
of
the
other
logos
here
have
that
many
software
developers
on
staff
it's
crazy
anyways?
So
I
really
happy
to
have
those
organizations
committing
to
this
process
and
a
week
and
a
half
ago
we
hosted
a
governing
board
meeting
on
the
periphery
of
the
linux
foundation.
Member
summit,
where
we
had
representatives
high-level
representatives
from
each
of
these
companies,
in
some
cases
the
cto
of
certain
organizations
or
or
the
cso
or
a
senior
vp
who
manages
security
products.
B
These
are
our
high-level
representatives
committing
not
just
their
organizations
financial
resources
but
time
to
making
this
work.
We
also
have
been
blessed
by
having
a
large
number
of
the
organizations
that
have
been
a
part
of
this
from
the
beginning,
also
signing
up
as
general
members
also
a
financial
commitment,
certainly
a
a
major
one,
especially
for
organizations
that
are
younger
and
and
and
startups
and
and
they're.
Also
saying
this
is
an
important
project.
This
is
something
we
want
to
align
with.
B
Organizations
like
gitlab
and
dtcc
dtcc
by
the
way
is
an
organization
that
trades
all
the
securities
on
on
wall
street
actually
holds
them
in
repository
and
it's
it's
it's
one
of
those
major
kind
of
glue
organizations
in
the
financial
services
sector
you
never
hear
about,
but
they
do
something
on
the
order
of
two
quadrillion
dollars
worth
of
trades
a
year
in
those
securities,
so
so
really
major
to
see
also
really
good
to
see
the
international
footprint
in
the
form
of
10
cent,
for
example,
and
I
think
we'll
see
a
lot
more
representation
from
asia
coming
very
soon.
B
So
thank
you
to
all
of
you.
Who've
brought
your
organizations
and
who've
been
involved
in
the
project.
Obviously,
since
the
beginning,
but
who
also
said
hey,
this
is
worth
us
jumping
in
and
committing
to
financially
and
thanks
to
those
commitments
we
now
have.
I
know
two
quadrillion
dollars
is
not
a
phrase.
You
often
hear
said
david
and
chat.
I
I
and
that's
that
is
not
not
a
an
overstatement
in
the
size
it
is.
B
It
is
in
the
thousands
of
trillions
so
we're
at
a
number
a
little
bit
smaller
than
that
so
far,
but
a
number
that
is
still
impressive,
nonetheless,
for
open
source
projects
and-
and
we
do
anticipate
growing
further.
What
we
announced
was
over
10
million
in
new
funding
commitments
from
from
those
organizations
to
these
efforts,
and
just
over
half
of
that
is
coming
from
funding
from
that
membership.
B
Those
membership
dues,
as
I
described
and
that
will
go
into
funding
core
open
source,
open
ssf
efforts,
supporting
the
working
groups
and
having
for
many
of
the
efforts,
the
working
groups,
some
funding
to
be
able
to
apply
whether,
in
the
form
of
grants
to
be
able
to
make
to
projects
or
software
development,
to
help
build
a
service
or
other
types
of
of
kind
of
ways
to
increase
the
impact
that
those
working
groups
can
have
it'll,
also
go
into
advocacy
work.
B
What
you
might
call
marketing
and
devrel
and
pr
and
those
kinds
of
things
reaching
both
to
developers,
but
also
to
the
end
user
community
to
help
them
understand.
Why
it's
important
to
tackle
many
of
these
issues?
I
mean
a
lot
of
what
we
need
to
do
is
raise
raise
the
level
of
conversation
out
there
and
and
and
make
people
aware
of
the
good
efforts
in
the
working
groups,
but
also
the
importance
of
tackling
this
problem.
B
A
lot
of
people
just
hear
about
the
about
the
hacks
about
the
big
breaches
and
assume
somebody
else
is
dealing
with
hardening
the
underlying
infrastructure.
Well,
we
are
the
cavalry
you
know
and
letting
people
know
that
that
you
know
we're
working
on.
This
is
pretty
important.
B
We
also
committed
to
putting
together
some
funding
around
mentorship
programs
that
the
linux
foundation
has
done
in
other
projects
very
successfully,
as
well
as
travel
funds
to
help
many
of
the
developers
in
our
community
get
to
some
of
the
events
to
be
able
to
present
their
work
at
different
conferences,
as
well
as
ourselves
being
able
to
have
presences
at
events.
B
You
know
third-party
events,
we
haven't
formulated
the
list
exactly
yet
or
really
figured
out
how
and
where
we
want
to
be,
but
think
about
the
typical
security
events
out
there
that
you
know
everybody
in
the
space
is
at
making
sure
that
our
voice
is
there
rises
above
the
noise,
but
also
think
about
the
non-traditional
types
of
I.t
events.
You
know
non-traditional
non-security,
specific,
but
ones
that
have
an
interest
in
that,
for
example,
the
hymns
conference
in
health
I.t,
perhaps
that's
an
event.
B
We
should
be
at
so
having
some
funding
available
for
that
and
then
looking
at
and
we
haven't
pulled
the
trigger
on
this,
but
looking
at
doing
an
open,
ssf
branded
and
focused
and
owned
event
in
2022
something
we
can
start
very
simply
something
that
I
I
you
know
we're
pretty
clear.
B
We
could
make
just
be
a
coming
together
of
our
community
and
really
defining
the
agenda
in
a
way
that
makes
sense
for
us,
I
think,
would
be
a
really
interesting
thing
to
get
started,
perhaps
building
on
the
great
work
that
was
already
done
at
supply
chain
security,
con
on
the
periphery
of
kubecon
a
few
weeks
ago,
and
then
finally,
further
fundraising
and
grant
writing,
because
what
we
actually
see
openssf
becoming
is
not
just
a
home
for
the
core
projects
you
see
at
the
working
groups
today,
but
for
add-on
funds
that
can
be
focused
on
kind
of
mid
to
large
size.
B
A
couple
hundred
thousand
to
a
couple
million
dollar
size
funds
for
specific
other
types
of
work,
work
that
can
be
well
scoped,
work
for
which
there's
a
clear
set
of
funders
available
for
that
kind
of
work
and
a
pretty
clear
place
to
put
that
those
funds
to
work
in
a
shovel
ready
kind
of
setting.
For
anyone
who
remembers
that
term
and
and
that's
that's
something
we're
really
eager
to
get
started
on.
B
In
fact,
the
first
of
those
funds
is
kind
of
a
blockbuster
one,
probably
larger
than
than
any
of
other
funds
will
be
out
of
the
gate
and
that's
five
million
dollars
committed
to
the
alpha
omega
project.
Now
we'll
hear
more
about
alpha
mega
later
in
this
call,
but
the
funds
there
will
be
put
towards
some
headcount
to
be
able
to
accomplish
the
goals
of
alpha
omega
some
software
development
and
some
advocacy
work,
and
it's
you
know
these
are.
B
I
should
emphasize
dollar
amounts
that
aren't
the
all
where
that
we're
ever
going
to
raise.
These
are
dollar
amounts
that
are
in
the
form
of
a
commitment
for
2022..
We
all
have
to
show
that
this
is
a
wide
application
of
funding
in
order
to
be
able
to
make
the
case
to
get
the
next
year's.
You
know,
re-up
of
that.
We
cannot
take
any
of
these
dollars
for
granted
that
they'll
come
back
next
year,
but
this
is
money
that
we
intend
to
spend
over
the
course
of
the
next
year.
So
it's
it's
pretty
exciting
stuff.
B
To
give
you
a
little
bit
of
a
by
the
numbers
a
bit
just
to
get
started.
You
know
on
we're
really
just
beginning
our
social
media
presence.
It's
something
that
we've
got
a
you
know
a
somewhat
active
youtube
stream,
a
somewhat
active
linkedin
group.
We
did
refresh
the
website
at
the
beginning
of
the
year,
but
we
also.
Oh
I'm
sorry.
I
skipped
this
this
page.
B
This
is
the
one
that's
perhaps
more
interesting
and
more
fun
in
the
15
months
since
launch,
we've
pulled
together,
68
member
organizations
to
help
us
in
this
effort.
Beyond
those,
though,
what
really
matters
is
the
over
500
576
members
who
the
participating
individuals
who
have
helped
in
the
working
groups
helped
on
the
attack,
helped
get
get
the
projects
out
there
and
running,
and
this
is
a
very
significant
number
we
have.
The
larger
numbers,
of
course,
are
out
just
on
social
media
people
following
what
we
do.
B
That
sort
of
thing
twitter.
That
kind
of
thing,
but
but
also
a
number
to
be
really
proud
of,
is
that
the
edx
courses
that
david
played
a
big
role
in
creating
many
of
you
also
helped
with
have
now
seen
5
300
different
people
register
to
take
those
courses,
and
that's
that
I
mean
if,
if
we
can
get
that
number
into
you
know
another
another
order
of
magnitude
up
this
year.
Think
about
the
impact
that
we'll
have
think
about
the
further
impact
it
could
have
if
we
grow
that
further.
B
This
is
this
is
something
that
really,
I
think,
could
have
a
huge
impact
on
the
security
space
and
with
that
just
kind
of
brief
overview,
I
want
to
pass
the
baton
now
to
david,
to
be
able
to
take
us
into
the
next
to
give
us
the
big
picture
and
a
couple
of
the
the
updates
david
I'll
just
advance.
The
slides
just
tell
me
when,
okay.
A
Okay,
so
I
want
to
just
kind
of
give
a
brief
overview,
particularly
for
those
of
you
who've
not
interacted
very
much
with
the
open
ssf,
yet
we're
hoping
that
you'll
be
convinced
to
become
more
involved
because
we'd
love
even
more
participation.
This
is
a
little
graphic.
That
kind
of
shows
the
current
openness
of
structure.
We
have
a
new
governing
board
which
may
change
this,
but
you
know
I
thought
it'd
be
helpful
to
see
how
it's
structured
today,
at
the
top
we've
got
a
governing
board.
A
Brian's
already
mentioned
that
governing
boards
created
a
couple
of
committees
to
help
it
anywhere
from
public
policy
marketing
budgeting
planning
the
public
policy.
One,
for
example,
is
where,
when
governments
say,
hey
we're
thinking
about
policies
related
to
this
area,
we
would
like
you
know
some
input
advice.
You
know
help
us
understand
this.
We
can
at
least
alert
various
folks
so
that
they
can
be
hey.
This
there's
a
organization.
You
know
government
organization,
which
wants
to
create
reasonable
policies
they're
looking
for
input,
obviously
the
open
ssf
can't.
A
You
know
it
doesn't
decide
policies,
but
we're
hoping
to
provide
them
useful
information
to
help
them
make
good
good
public
policies,
so
underneath
the
governing
board
is,
of
course,
the
technical
advisory
council.
A
This
structure
of
a
governing
board
and
attack
is
pretty
common
across
many
linux
foundation,
foundations
and
inside
the
tac
right
now
there
are
a
whole
bunch
of
working
groups,
we'll
just
read
them
off
best
practices,
vulnerable
disclosures,
identify
security
practices,
security,
tooling
security
supply
chain
integrity,
which
is
a
new
name
of
the
digital
attestation,
working
group,
digital
identity,
ad
station
and
securing
critical
projects
working
group
next.
A
So
currently
we
have
all
all
the
projects
within
the
open.
Ssf
live
within
some
particular
working
group.
That's
not
a
requirement!
It's
just.
You
know
how
things
have
been
organized
so
far.
A
We're
actually
expecting
that
when
project
alpha
omega
gets,
you
know
that
when,
when
alpha
omega
gets
running,
it's
going
to
be
a
sibling
of
the
working
groups,
its
own
thing,
it's
it's
a
big
thing
of
its
own,
but
here
what
you'll
see
is
those
working
groups
I
just
listed
a
moment
ago
and
some
of
the
projects
that
they've
been
working
on
and
have
released
things.
So
the
best
practices
is
badge
focus,
though
sorry,
the
best
practices
working
group-
sorry,
identification,
awareness,
education,
security,
best
practice
of
security,
best
practices.
A
This
is
where
things
like
the
ci
best
practices
badge
lives.
The
scorecard
something
called
the
great
mfa
distribution
project,
we'll
talk
about
that
in
a
moment,
collaboration
with
owasp,
cre
and
security,
knowledge
framework
and
the
edx
course
vulnerability.
Disclosure
focuses
on
efficient
vulnerability,
reporting
and
remediation
things
like
there's
a
guide
for
coordinated
vulnerability,
disclosure
for
oss
projects,
identifying
security
threats,
and
it's
a
convoluted
name.
A
Basically,
it's
trying
to
get
information
about
security-related
information
about
projects,
things
like
having
a
collected
set
of
reviews
of
open
source
projects
having
a
dashboard
so
that,
when
you're
interested
in
a
project,
you
can
learn
about
it
securing
critical
projects.
This
is
identification
of
critical,
open
source
projects
which
should
help
things
like
alpha
omega.
A
That's
where
criticality
score
the
harvard
research
to
looking
for
critical
projects,
there's
also
package
feeds
and
package
analysis
looking
for
malicious
code
and
all-star,
we'll
talk
more
about
all
in
in
a
second
security
tooling.
This
is
basically
looking
at
various
tooling
related
issues.
Supply
chain
integrity
is
the
new
name
of
what
was
digital
digital
identity.
At
a
station
I'm
hearing
my
mic
was
a
little
low.
Can
you
hear
me
now
better,
I
hope
so
all
right
so
supply
chain
integrity,
as
I
said,
was
named
digital
identity
asked
at
a
station.
A
The
issue
is
provenance,
and
this
is
where
supply
chain
levels
for
software,
artifacts
or
salsa
lives,
and
we'll
also
talk
about
project
alpha
omega,
which
is
its
own
thing.
Next,.
A
So
there's
a
lot
of
projects
going
on
and
I
thought
it
might
be
helpful
to
get
an
idea
of
how
the
projects
work
together.
I
there
is.
It
would
actually
take
me
quite
some
time
to
walk
through
this
diagram
and
I'm
not
going
to
try
to
do
that.
I'm
going
to
walk
through
it
at
a
high
level,
but
you
can
see
this
picture
and
walk
through
it
your
own,
but
this
is
the
picture
that
coming
straight
from
salsa.
C
A
Couple
of
cases
it's
a
little
hard
to
do,
there's
multiple
places,
but
nevertheless,
what
I
hope
you
can
see
is
just
the
from
the
placement
of
various
and
sundry
things
that
in
fact,
there's
a
lot
of
different
projects
which
focus
on
different
parts
of
the
problem,
because
no
one
project
is
going
to
resolve
all
security,
related
questions
involving
open
source
software
or
software
in
general,
and
so
different
projects
work
on
different
things
anywhere
from
the
developer.
You
know
managing
the
source
code
managing
the
bill
packaging
it
up
releasing
out
to
consumers.
A
We
want
to
help
developers
select
good
packages
by
providing
them
package
selection
information.
We
want
to
identify
critical
projects
and
improve
them,
and
sadly,
I
suspect,
no
matter
what
we
do.
We're
going
to
have
vulnerability.
Information
occasionally
show
up
for
all
projects.
We
want
to
reduce
it,
but
we're
not
going
to
be
able
to
eliminate
it.
So
we
also
want
to
have
improved
ways
to
share
the
vulnerability
information
process.
A
It
yeah
improve
the
software
rapidly
and
if
you
walk
through,
I've
tried
to
color
code
and
you
know,
identify
these
various
projects
and
where
they
live
again.
So
you
can
see
that
it's,
it's
not
all.
In
one
place,
we
have
different
projects
in
a
variety
of
different
places.
B
Maybe
we
can
have
a
design
competition
for
the
next
iteration
of
of
this
big
picture
slide.
B
Okay
is
michael
scovetta
available,
michael.
D
I
am,
I
am
right
here,
I
cannot
go
off.
I
cannot
un
video
my
video.
B
Oh
okay!
Well
why
don't
I
well?
I
figured
that
out.
Why
don't
I
just
advance
to
the
first
slide
and
you
can
start
talking
and
then
I
will
figure
out
if
we
can
enable
video.
D
Awesome
so
yeah
thanks
everybody
I'm
here
to
talk
about
alpha
omega.
So
this
is
a
project.
It's
designed
to
improve
the
security
posture,
meaning
the
security
quality.
The
actual
you
know,
security
of
open
source
projects
in
two
different
ways.
One
is
through
direct
engagement,
which
means
reaching
out
to
projects
figuring
out
what
they
need
and
helping,
and
the
second
is
by
identifying
critical
vulnerabilities
at
scale.
D
This
was
provided
through
a
joint
funding
by
microsoft
and
google.
I'm
very
appreciative
to
those
organizations
for
for
for
making
this
happen.
This
has
been
approved.
So
we
are.
We
are
kind
of
good
to
go.
We
are
waiting
well,
chief
advanced
the
next
slide.
D
Actually,
well,
let
me
just
talk
about
more
more
about
what
the
project
is,
so
it's
really
two
different
projects
alpha
and
omega
alpha,
we'll
call
them
subprojects
or
streams
or
something
that
makes
sense,
but
alpha
is
targeting
the
most
critical
open
source
projects
out
there
somewhere
on
the
order
of
a
hundred.
D
It
may
maybe
slightly
more
than
that,
but
it
won't
be.
Fifty
thousand.
These
are
long-term
engagements.
We're
going
to
approach
them
with
a
learning
mindset
reach
out
to
them
talk
to
them
figure
out
what
they
need,
how
what
security
challenges
do
they
have?
They
will
all
be
different
for
each
project
in
some
cases
we'll
be
able
to
help
in
some
cases.
Maybe
we
can't
help
in
some
cases.
Maybe
they
don't
want
our
help
either
way.
D
We
want
to
start
that
conversation,
but
when
they,
when
we
do
agree
on
something
that
we
can
help
with
it,
can
take
many
different
forms.
We
could
help
out
with
threat
modeling
we
could
set
up
automation,
we
could
do
bug
triage,
we
could
in
theory
we
could
fund
a
resource,
a
security
resource
for
that.
For
that
team
we
could
do
a
source
code.
Audit
we
could
basically,
if
they
need,
if
their
biggest
security
challenge,
that
they
need
rocks,
moved
from
point
a
to
point
b.
D
We
should
pick
up
a
shovel
and
help
them
move
rocks
the
most
critical
open
source.
Our
projects
are
the
ones
that
have
a
in
a
higher
than
a
much
higher
than
average
impact
on
the
ecosystem
if
they
were
to
fail
spectacularly
with
a
critical
vulnerability.
The
actual
decision
of
which
projects
are
the
most
critical.
D
The
we've
asked
the
the
critical
projects
working
group
to
help
out
in
in
doing
that
selection
criteria
and
and
kind
of
coming
up
with
that
list,
but
it
would
be
the
the
types
of
projects
and
infrastructure
that
would
make
sense.
So
as
an
example,
a
package
management
system
like
npm
or
pi,
pi
or
rubygems,
are
core
to
the
to
the
ecosystem.
D
It
would
make
sense
to
to
consider
things
like
that.
Similarly,
node
see
python,
you
know
webpack
things
like
that.
The
the
types
of
projects
that
are
used
basically
everywhere.
D
D
Looking
for
just
critical
vulnerabilities
backdoors,
custom
malware
things
like
that,
having
security
analysts
triage
the
results
of
that,
so
we're
not
going
to
be
running
the
output
of
a
tool
and
then
automatically
filing
issues
or
throwing
things
over
the
wall.
This
is
this
is
going
to
be
kind
of.
We
want
it
to
be
a
high
quality
experience
for
the
for
the
maintainer
they're,
going
to
get
good
vulnerability.
D
D
The
quality
of
the
tools
have
to
be
near
magical,
which
means
some
of
the
head
count
that
we're
asking
for
for
this
project
is
to
be
tuning
this
continuously.
So
every
time
a
false
positive
comes
up.
We
make
sure
that
the
false
positive
never
comes
up
again
by
tightening
the
rules
and
adding
more
logic.
D
This
is
an
ambitious
project.
Everybody
I've
had
a
lot
of
a
lot
of
people,
reach
out
and
say:
hey.
This
thing
sounds
great,
but
it's
like
a
really
really
really
hard
problem.
It.
The
world
needs
this,
so
we're
gonna
try
our
best
we're
gonna.
Do
it
next
slide?
D
Okay,
so
alpha
omega,
we
are
there's
a
public
announcement.
That's
gonna
be
coming
soon.
So
please
don't
like
it's
not
super
secret,
but
don't
please
don't
like
pre-announce
we're
getting
details
on
our
2022
operating
plan.
The
first
four
to
six
months,
I
would
say,
is
going
to
be
a
lot
of
learning,
so
we're
going
to
be
trying
to
be
very
agile
and
just
do
stuff
and
then
learn
and
change.
D
We
are
going
to
be
hiring
some
folks,
so
if
you
have
candidates
that
you
think
would
be
that
you
would
would
kind
of
love.
This
role
ping
me
or
you
ping
me
on
the
slack
channel
too,
that
I
created
for
this
I'll-
have
job
descriptions
out
pretty
shortly.
We're
still
trying
to
figure
out.
Should
these
be
contractors,
should
these
be
full-time
things
like
that,
but
I
think
the
most
important
thing
is
that
we
get
the
right
people
for
this
and
next
slide.
I
think
that
was
it
that.
B
Was
it
thank
you
so
much
michael
and
there
was
a
question
asked
and
answered
about
how
the
projects
will
be
selected.
David
shared
that
you
had
answered,
part
of
that
and
we'll
be
working
with
the
critical
projects
working
group
as
well
to
try
to
figure
out
quantitatively
and
fairly,
which
ones
are
most
critical,
but
there's
always
going
to
be
a
bit
of
a
subjective
part
to
this
as
well.
I
suspect
next
up
on
salsa
abhishek.
Are
you
around
and
able
to
chat.
A
Try
again,
I
just
made
some
changes.
E
A
E
Yes,
so
salsa
is
stands
for
supply
chain
levels
for
software
artifacts
the
work
started,
I
would
say
two
or
three
months
back
and
we
have
pretty
strong
participation
from
the
community.
So
from
members
at
various
companies
like
vmware
intel
data
dog
city
bank,
to
name
a
few
have
been
involved
in
contributing
to
the
salsa
spec,
so
we
have
released
salsa
v,
0.1
spec
that
is
available
for
the
community
to
review
recently.
E
We
also
came
to
consensus
on
the
salsa
provenance
formats,
which
got
a
significant
revamp
for
usability,
and
next
we
are
looking
to
work
more
on
the
implementation
aspect,
so
creating
more
demos
for
these
different
levels
and
so
that
community
can
easily
update
them
any
questions
on
their
front.
I
think
we
will
do
probably
questions
at
the
end
right.
B
E
This
is
the
digital
identity
attestation
working
group
that
salsa
is
part
of
in
the
community.
We
have
been
discussing
to
rename
it
to
supply
chain
working
group
because
that
encompasses
the
entire
stream
of
work.
So
that's
in
progress
right.
B
Right
and
is
what's
the
what's
the
newest
thing:
that's
come
out
of
the
salsa
effort.
E
It's
the
provenance
format.
V
0.2
is
released.
I
think
that's
last
week.
So
that's
the
newest
thing
that
came
out.
B
Very
cool,
okay,
great
and
on
the
vulnerability
disclosure
guide,
we
thought
it'd
be
worth
sharing
a
little
bit
about
this.
I
know
jennifer
is
on
the
call.
I
don't
want
to
put
her
on
the
spot
unless
she
wants
to
to
speak
to
it.
I
know
it's
something
that
she's
she's
worked
on
quite
a
bit.
Let's
see
jennifer,
are
you
up
for
sharing
or
or
should
david
cover?
This.
F
Sure
yeah,
no,
I'm
happy
to
jump
in.
Thank
you.
So
the
vulnerability
disclosure
loop,
a
group
which
is
led
by
christopher
robinson
krobe
from
intel,
has
been
working
together
on
a
number
of
things.
The
the
core
of
one
of
these
that
we've
released
recently
is
a
guide
to
coordinated
vulnerability
disclosure.
F
So
basically,
what
we're
trying
to
do
is
create
an
accessible
resource
that
lets
us
into
some
of
the
things
that
open
source,
maintainers
may
or
may
not
know,
and
are
often
unspoken
about
doing
coordinated
vulnerability,
disclosure
and
about
receiving
vulnerability
reports
from
security
researchers
to
better
empower
maintainers
to
have
a
successful
disclosure
with
the
researcher,
but
also
to
set
some
norms
as
to
what
we
can
expect
in
terms
of
well-meaning
research
compared
to
things
that
might
be
less
desirable
or
less
cooperative.
F
F
We
have
some
open
github
issues
about
some
exciting
things
we
might
do
in
the
future,
like
helping
for
incident
response
or
kind
of
emergency
scenarios
when
teams
are
overwhelmed
by
the
type
of
report
that
they
receive
either
because
they
can't
write
the
patch
or
because
coordination
with
downstream
projects
is
high
impact,
but
difficult
to
to
do
so.
There's
a
lot
of
great
work
in
this
space
and
we
absolutely
welcome
anyone
who
is
interested
in
helping
us
improve
vulnerability.
F
Disclosure
for
open
source
projects
to
get
involved
with
that
group
we'll
also
be
doing
a
lot
of
outreach
that
we're
working
on
preparing
right
now
to
help
developers
and
open
source
maintainers,
better
work
with
researchers.
B
Thank
you,
jennifer
really
important
work
to
do.
Thank
you
for
that
david
I'll,
pass
the
mic
back
to
you
to
talk
about
the
great
mfa,
distribution
project.
A
Okay,
so
I
don't
think
I
need
to
explain
too
hard
to
many
people
here
that,
unfortunately,
some
of
the
insertions
of
various
malicious
code
and
malicious
package
in
the
past
has
occurred,
because
attackers
managed
to
acquire
passwords,
steal,
basically
stealing
passwords
and
then
exploit
that
to
log
in
as
the
developer
and
distribute
code.
That,
in
fact,
was
not
a
pro
or
a
package
that
was
not
approved
by
the
actual
developer.
A
So
there's
a
solution
for
this,
so
you
know
the
solution
will
be
getting
more
open
source
software
developers
to
use
multi-factor
authentication
tokens.
That
doesn't
mean
it's
impossible
to
steal
credentials,
but
it's
a
whole
lot
harder
when
you've
got
hardware
tokens
instead
of
just
I
gotta
copy
a
couple
characters
down,
I'm
happy
to
say
that
both
google
and
github
have
agreed
to
offer
a
set
of
free
tokens.
Mfa
tokens
to
give
away
to
select
open
source
software
developers,
and
so
this
is
a
project
currently
mined.
A
To
basically
do
some
currently
in
early
stages,
basically
try
to
figure
out
well
who
would
get
those
toke
free,
the
free
ones?
How
do
we
make
sure
these
are?
These
are
distributed
securely
because
we
don't
want
this
to
be
the
best
supply
chain
attack
ever
so
we're
talking
about
you
know
using
coupon
codes
and
so
on.
How
to
measure
impact,
and
probably
the
most
important,
is
how
to
develop
or
point
to
very
simple
short
instructions.
Developers
are
really
busy.
A
A
Using
this
token,
here's
how
you
do
it
simple
short
as
possible
and
focus
on
the
typical
needs
for
open
source
developers,
because
a
lot
of
the
documentation
for
these
is
often
very
generic
and
doesn't
tell
you-
doesn't
skip
those
things,
don't
matter
and
vote
and
doesn't
focus
on
the
here's.
What
you
do
if
you're
interested
in
this
please
get
involved
in
the
best
practices
working
group
really.
A
This
is
one
of
those
things
that
you
know
the
tasks
crosses
across
multiple
working
groups,
but
since
the
expectations,
a
lot
of
the
work
is
really
going
to
be
trying
to
figure
out
what
the
how
to
describe
the
best
practices
as
simple
as
possible.
That's
where
this
lives,
at
least
for
now,
for
more
there's
the
repo
next.
B
Thanks
david
and
next,
we'll
go
to
scorecard
and
all
star
I
and
abishak.
Can
I
call
you
back
to
the
mic
to
to
cover
the
updates
here.
E
Yes,
definitely
so
at
a
very
high
level
like
scorecards
project
is
scaling
pretty
well.
It
now
runs
on
1
million
repositories
on
github
and
gives
a
idea
on
their
security
posture.
E
We
are
also
working
on
this
new
github
signing
solution,
not
sorry
not
signing
solution
as
part
of
the
github
code
scanning
pipeline,
so
it's
being
integrated
there
as
an
app
there
and
let's
see
what
else.
Regarding
the
all-star
project,
it's
running
on
more
than
5000
repositories
right
now
and
getting
more
tightly
integrated
with
scorecards
checks,
and
there
is
also
ongoing
collaboration
going
with
six
store
and
salsa
projects
on
how
we
can
show
more
of
the
code.
B
That's
great,
thank
you
so
much
so
that
was
really
just
kind
of
a
a
taster
of
the
fire
hose.
That
is
the
different
projects
going
on
at
at
open
ssf.
You
know
different,
perhaps
than
other
open
source
projects.
You
know,
as
david
mentioned,
we're
predominantly
organized
by
working
group
and
then
there's
projects
within
each
of
the
working
groups.
B
As
you
can
see,
a
lot
of
these
are
about
standards
about
scorecards,
about
a
little
bit
of
code
here
and
there,
but
mostly
about
how
do
we
all
work
together
in
you
know,
in
a
coordinated
fashion,
to
uplift
both
the
the
hundred
most
critical
open
source
projects,
but
also
the
the
the
broad
base
as
well,
and
so
there's
a
lot
more
kind
of
in
the
works
and
and
things
that
are
initiated
now
and
and
and
kind
of
getting
to
the
same
point
as
the
ones
that
we
we
chose
to
highlight.
B
But
if
there's
any
other
efforts
that
anybody
on
the
call
who's
been
involved
with
openssf
wants
to
highlight
before
we
dive
into
you,
know
kind
of
an
open
question
and
answer
time
feel
free
to
to
kind
of
raise
your
hand
and
we'll
try
to
try
to
pick
you
and
and
give
you
the
floor
for
a
little
bit
anything
else
going
on
in
the
open
ssf
land.
That
folks
want
to
want
to
chat
about
or
share.
G
Hi
everyone-
I
just
want
to
give
a
quick
update
on
some
work.
We
just
completed
in
collaboration
with
cncf
reviewing
flux,
a
component
of
kubernetes,
so
we
coordinated
security
engagement
resulting
in
the
patching
of
a
high
severity
cve,
as
well
as
around
21
other
security
improvements
to
the
software.
So
I'm
going
to
be
sharing
that
with
everybody
via
email,
as
well
as
sending
links
to
the
work
groups,
so
you
can
kind
of
go
into
look
at
that
in
detail.
The
full
report
is
published
online,
so
anyone
can
view
it.
So,
thank
you.
B
That's
great
okay.
Anyone
else
have
anything
they'd
like
to
share
yeah.
A
Brian,
if
I
may
jump
in
real
quick,
I
think
the
flux
thing
is
actually
an
example.
You
know
you
mentioned
hey,
there's
no,
there's
some
code,
but
it's
not
all
code
here.
We're
not
interested
in
taking
over
projects,
we're
very
much
interested
in
working
with
projects
to
help
make
things
better,
and
I
I
think,
if
you
see
a
lot
of
the
things
that
the
openness
has
been
doing,
it's
very
much
helping
successful
projects
succeed
further.
B
G
Any
other
thoughts,
or
should
we
move
on
I'll
just
sharing
the
link
now
per
jennifer's
request:
okay,.
B
Okay,
great,
we
do
have
another
question
in
the
q,
a
from
eric
heitzman
eric,
I
can
read
it
or
I
cannot
meet
you
to
read
it.
If
you'd
like.
I
B
Yeah
I'll
answer
one
part
of
this
quickly
and
then
of
course
open
it
for
others
to
chime
in,
but
I
think
we're
certainly
interested
in
being
an
aggregator
of
the
outputs
of
tools
open
source,
commercial.
B
Otherwise,
when
it
comes
to
the
things
that
are
kind
of
hard
to
do
and
the
things
for
which
there
aren't
really
great
open
source
equivalents,
such
as
the
kinds
of
tools
you
mentioned,
so
we
already
have
a
couple
of
integrations
already
in
a
tool
that
the
linux
foundation
has
been
using
for
security,
kind
of
analysis
of
its
of
its
projects.
That
will
be
expanding
as
part
of
project
alpha
omega
to
other
other
open
source
projects
and
and
to
to
be
relevant
and
then
involved
with
the
alpha
mega
effort.
B
So
certainly
interested
in
talking
with
you
about
about
other
tools
that
you
think
might
be
appropriate
as
well,
so
feel
free
to
get
in
touch
with
us
off
to
the
side.
To
talk
further
about
that,
thanks
eric.
Thank
you
yeah
jacques.
Let
me
unmute
you
or
allow
you
to
talk
here.
Would
you
like
to
ask
your
question
verbally.
J
D
Michael,
you
want
to
take
that
sure
yeah,
so
so
as
part
of
kind
of
throwing
the
idea
of
alpha
around
we
reached
out
to
about
ten
projects
about
half
of
them
got
back
so,
and
they
were
all
amenable
to
the
idea
of
it.
The
problem
is,
I
don't
want
to
go
too
far
down
the
route
of
making.
It
seem
like
we're
promising
to
do
something
with
them
and
then
pull
the
rug
back.
So
I
was
trying
to
be
very
careful
in
how
we
engage.
D
We
do
have
one
very
high
profile
organization
that
we
have
started
conversations
with
about
a
kind
of
a
marquee
initial
project.
I
don't
want
to
talk
about
that
in
this
kind
of
semi-public
forum,
but
I
can
connect
with
you
offline
about
about
that.
I
would
like
that
to
be
announced
at
the
at
the
public
announce
of
of
alpha
omega
the.
If
you
look
at
the
the
top
projects
of
the
criticality
score
listing.
D
A
lot
of
those
do
seem
to
be
good
candidates
for
for
alpha
and
that's
really
what
we'll
be
starting.
So
so
we
we
it's
a
little
bit
of
chicken
on
the
egg.
I
didn't
want
to
jump
the
gun
and
have
too
many
in-depth
conversations
without.
B
Thank
you,
michael
okay.
Well,
we've
turned
through
the
open
questions
in
the
q,
a
tool
I
don't
see.
Anyone
with
their
hand
up
still
anything
else
that
anyone
involved
with
the
project
wants
to
to
toss
out
is
an
update
to
something
that
they've
been
working
on,
or
they
wanted
to
draw
some
some
attention
to.
B
How
about
anything
on
the
periphery
there's
so
many
I
mean
this
is
one
thing:
we're
not
trying
to
be
the
home
for
all
things.
Security.
Our
hope
is
certainly
that
what
we
do
is
inspire
a
whole
lot
of
efforts
in
every
open
source
initiative
to
to
go
and
build
things
and
using
our
standards
using
our
specs,
perhaps
upstreaming
to
us
in
some
ways
here
and
there,
but
but
certainly
lots
of
security
efforts
on
the
periphery.
B
So
we'll
count
a
lot
of
things
it
looked
like
did
kay.
Did
you
raise
your
hand.
K
I
did
okay
yeah,
so
I
thought
I
could
mention
a
little
bit.
That's
going
on.
This
is
related
to
the
executive
order,
but
there's
some
great
collaboration.
That's
happening
across
the
salsa
project,
which
is
currently
in
the
open,
ssf
and
then
a
couple
of
projects
that
are
just
outside
of
open
ssf.
One
is
the
entoto
project
and
another
one
is
the
skim
project,
supply
chain
integrity
model
and
the
skim
project.
K
I'll
mention
we're
hoping
to
move
in
to
open
ssf
into
the
the
newly
rescued
digital
identity,
soon
to
be
supply
chain
working
group
in
openssf
and
the
collaboration
that's
going
on
is
around
arriving
at
some
standard
data
format
and
some
standard
schema
specifically
that
we
can
all
use.
K
You
know
companies
like
microsoft,
other
companies
that
are
part
of
the
open
ssf
for
describing
our
conformance
to
the
requirements
in
the
executive
order.
So
that's
that's.
It's
happening
kind
of
behind
the
scenes
right
now,
but
hopefully
soon
we'll
be
having
those
discussions
about
the
standard
format
and
the
standard
schemas.
Also
inside
of
the
open
ssf.
The
format
that
we're
starting
with
is
the
intoto
attestation
format,
which
is
currently
used
with
with
salsa.
So,
if
folks
are
interested
in
that,
you
can
do
the
look
up
on
in
total
attestations
and
find
more.
K
The
other
discussions
that
are
going
on
are
around
having
a
common
signing
format
for
all
of
these
supply
chain
attestations,
and
there
are
a
couple
that
are
floating
around
in
different
groups
and
we're
hoping
to
have
discussions-
and
you
know
broader
discussions
and
with
companies
in
ssf
and
have
those
as
part
of
the
the
new
supply
chain,
integrity,
working
group.
So
that's
you
know
some.
Some
of
that
is
there
steps
of
it
that
are
that
are
formed
and
other
things
that
will
be
coming
down
in
the
future.
B
C
Sure
can
you
hear
me?
Okay,
yes,
great
thanks
for
making
a
little
moment
for
me
to
talk
about
you
get
bomb.
This
has
been
work
I
mentioned
at
the
supply
chain,
security
summit
and
anyone
who's
run
in
tomato
hallway
or
online.
Probably
heard
me
talk
a
little
bit
about
it
or
ed.
Warnicky
over
at
cisco
is
also
working
on
this.
C
It's
a
project
to
rally
support
around
using
an
existing
and
well-known
file
format
to
track
the
supply
chain
of
from
source
code
through
binaries
across
languages,
integrate
this
into
the
language
tool
chains
we'll
be
setting
up
our
meetings
and
getting
all
that
sort
of
community
infrastructure
going
in
the
next
couple
weeks
and
then
happy
to
chat
with
open,
sso
folks
of
bringing
it
in
here
over
time.
B
Thank
you,
ava
yeah.
I
find
it
super
interesting
as
as
a
compliment
to
so
much
of
the
the
rest
of
the
work
that
we're
doing
and
perhaps
something
that
we
can
really
align
very
closely
to
it.
We
had
one
question
in
private
chat
from
mutu
balaraman,
who
asked,
even
though
the
security
risks
are
much
talked
about
for
open
source
software,
how
about
the
license
associated
with
with
open
source
software?
What
are
the
key
risks?
The
organization
should
be
concerned
about
any
projects
focused
on
open
source
licenses.
B
I
will
mention
here
perhaps
that
one
of
the
key
tools
for
licensed
conformance
in
the
open
source
space
has
been
a
standard
called
spdx
that
has
been
developed
by
a
whole
community
of
people
working
under
the
aegis
of
the
linux
foundation,
for
a
long
time
to
try
to
make
sure
that,
given
a
body
of
code
that
you
think
is
open
source
license
is
every
underlying
dependency
every
underlying
bit
actually
open
source
license
and
which
license.
Am
I
allowed
to
redistribute
it
under?
B
You
know,
knowing
that
some
licenses
carry
obligations
on
other
pieces
of
code.
Spdx
is
now
also
really
a
a
key
platform.
A
key
standard
being
looked
at
for
s-bomb
functionality,
which
is
what
the
executive
order
called
for,
and
you
know,
there's
a
couple
of
options
out
there
and
I
think
there's
going
to
be
some
intentful
effort
to
put
those
into
a
box
so
that
we
combine
efforts
there
rather
than
compete
on
something
as
fundamental
as
the
documentation
format
for
a
standard
for
bill
of
materials.
B
But
when
it
comes
to
licensing,
I
think
that's
that's
this
interesting
access
point
between
what
we're
doing
and
what's
come
before:
lots
of
other
places
to
talk
about
open
source
licensing,
the
open
source
initiative,
for
example,
being
one
of
them,
but
I,
but
really
the
the
security
work
we
see
here
is
fairly
fairly
complementary
to
it
if
pretty
distinct.
A
Yeah,
just
just
real
quick,
as
for
you
know,
as
far
as
the
licensing
open,
ssf
isn't
particularly
focused
on
licensing
but
obviously
care
about
components.
There's
another
group
open
chain
which
is
actually
a
standard
for
how
to
intake
open
source
software
and
look
at
things
like
licenses
and
so
on.
It's
more
than
that.
But
if
you're
interested
please
go
take
a
look
at
open
chain.
B
B
We
can't
hear
you
if
you
can
type
your
question.
I
can
read
it
aloud.
B
And
I
think
azim's
question
will
be
the
last
one
actually,
while
we're
waiting
for
him
to
type
it
just
type
it
into
chat
as
in.
If
you
can,
there
was
a
question
about
whether
the
meeting
is
being
recorded.
Yes,
it
is
and
how
the
recording
will
be
made
available.
B
We
will
post
it
as
soon
as
we've
been
able
to
to
to
just
validate
it
onto
the
open,
ssf
website
and
share
it
through
social,
and
I
don't
know
if
automatically
we
send
a
link
to
everybody
who
attended,
but
we'll
we'll
try
to
do
that
as
well.
B
Jory
is
also
dropping
in
links
to
the
open
chain
project
and
to
spdx.dev
just
germain
to
the
last
conversation
point-
and
I
think
with
this,
unless
azim
is
still
typing
his
question
any
other
last
questions
or
comments
or
thoughts
before
we
wrap
up.
B
Okay,
well
with
that,
I
want
to
thank
you
all
for
attending
and
I
look
for
the
recording
soon
please
come
to
the
next
town
hall
and
we'll
give
you
all
updates
on
what
we
do.
Then
thank
you,
of
course,
to
to
michael
to
jennifer,
to
abhishek
and
david,
of
course,
for
putting
together
this
great
content
and
all
of
you
for
asking
great
questions,
and
we
will
see
you
all
again
soon.
Thank
you.